Nice job, fellers! Can’t wait to try it on my dev server! But given my schedule, I think that will be in March.
Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows 10 From: Christian Folini<mailto:christian.fol...@netnea.com> Sent: Friday, August 19, 2016 11:18 PM To: Barry Pollard<mailto:barry_poll...@hotmail.com> Cc: owasp-modsecurity-core-rule-set@lists.owasp.org<mailto:owasp-modsecurity-core-rule-set@lists.owasp.org> Subject: Re: [Owasp-modsecurity-core-rule-set] CRS3-RC1 not working on Apache 2.2 Hi there, Thanks Barry. I certainly did not expect many people to jump into this immediately. It's a release candidate after all and there are many constraints for existing servers. I agree that a new service is better of starting with the CRS3 immediately, than deploying CRS2 and migrating sooner or later. What felt bad was the radio silence here on the list. A thumbs up would be nice. A "thanks for the RC. Looking forward to install it when I find the time" style message. I guess you get the idea. Ahoj, Christian On Fri, Aug 19, 2016 at 09:01:56PM +0000, Barry Pollard wrote: > Christian I think you missed possibly the two main reasons for lack of > comments: > > 1. People haven't had a chance to try it yet. It's been out 3 days! While you > guys have spent a lot of time on this, and I honestly appreciate that, > ModSecurity is not my full time job and while I personally do intend to have > a look I've simply not had the time yet. I subscribe to this mailing list to > keep abreast of changes, be aware of issues and help out when I can but that > doesn't mean I'm going to jump immediately at any changes - particularly big > ones like this. > > 2. Is there a benefit in upgrading? Now before you take offence at that let > me explain what I mean by that: I've invested a lot of time tuning the older > CRS on the websites I look after to the point it doesn't false alert much. It > works for me, I'm happy with it and it's not missing any features that CRS3 > will give me AFAIK. Would installing ModSecurity have been easier if CRS3 was > about then? Absolutely! And if adding ModSecurity to a new site going forward > then I'll almost certainly go straight with version 3, but for me, one of the > main benefits of this upgrade is the ease of installing it - as it shouldn't > be full of false positives when installed with default settings like 2.9 and > previous were. As I say, I've already got 2.9 working now, so that doesn't > benefit me as much. I've also a certain amount of fear of time it would take > to configure, and make me have to reimplement my tuning, for little extra > benefit at this point. Do let me know if I'm missing something and! y! > ou feel there's some big benefits to me that should make me jump this up my > priority list. > > I think the work done here seems great. I think it seems to lay a good > foundation for future development of the CRS. And I appreciate the time gone > into it and the frustration the radio silence since release must feel like. I > followed with interest the discussions on this but never actually installed > the version 3 rules while they were being developed for above reasons so, for > me, it's not as simple as upgrading to RC1 and giving further feedback. > > Will feedback when I get a chance to look and hopefully others, that have > taken time to have a go with this, will give you some of the feedback you're > looking for. > > Thanks, > Barry > > > On 19 Aug 2016, at 20:39, Christian Folini <christian.fol...@netnea.com> > > wrote: > > > > Dear all, > > > > We had the first major bug report for CRS3-RC1 today. > > https://github.com/SpiderLabs/owasp-modsecurity-crs/issues/542 > > > > The maximum line length of Apache 2.2 is too short for two of the > > new Remote Command Execution rules which come in at over 10K bytes. > > > > Expect a fix on github in the next few days; certainly for RC2. > > > > Meanwhile Apache 2.4 is doing great and github user @emphazer who > > discovered this bug reports of over 100 production machines running > > CRS3-RC1. > > > > But the list here has remained silent over the release. I see several > > possible reasons: > > - Nobody gives a shit > > - It fails so miserably on your server you removed it immediately and > > you do not want to talk about CRS anymore > > - It worked like a charm without any false positives, so you forgot > > about its existence instantly. > > > > Either way, some feedback would be nice. This is an opensource project. > > Chaim and Walter worked day and night for this, and if not even the > > project mailinglist has some positive or negative feedback, then I > > wonder why anybody is doing this at all. > > > > Best, > > > > Christian Folini > > > > > > -- > > https://www.feistyduck.com/training/modsecurity-training-course > > mailto:christian.fol...@netnea.com > > twitter: @ChrFolini > > _______________________________________________ > > Owasp-modsecurity-core-rule-set mailing list > > Owasp-modsecurity-core-rule-set@lists.owasp.org > > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
_______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
